The education platform Canvas went into maintenance mode Thursday after parent company Instructure suffered a data breach affecting over 8,800 schools, while separately, attackers exploited a critical cPanel zero-day vulnerability to compromise more than 40,000 servers worldwide.
Canvas Breach Impacts Thousands of Schools
The ShinyHunters ransomware group claimed responsibility for breaching Instructure’s Canvas platform, according to Wired’s reporting. The attack forced Canvas into maintenance mode during peak academic season, disrupting universities including Harvard, Columbia, Rutgers, and Georgetown as students faced finals and end-of-year assignments.
Steve Proud, Instructure’s chief information security officer, confirmed in incident updates that the breach exposed user names, email addresses, student ID numbers, and platform messages for affected institutions. The hackers advertised the breach on their dark web site starting May 1, claiming it impacted more than 8,800 educational institutions across multiple states.
Canvas serves as a critical digital learning infrastructure for higher education and K-12 districts nationwide. The timing of the attack during finals season amplified its impact, as students and faculty lost access to coursework, grades, and communication tools.
Critical cPanel Zero-Day Exploited Worldwide
Separately, threat actors have compromised over 40,000 servers by exploiting CVE-2026-41940, a critical authentication-bypass vulnerability in cPanel & WebHost Manager, according to SecurityWeek. The Shadowserver Foundation reported the massive compromise campaign targeting the widely-used server management platform.
The vulnerability, disclosed April 28, allows unauthenticated attackers to gain administrative access to cPanel instances through special characters in authorization headers. Attackers can write parameters to session files and trigger reloads to authenticate using injected administrative credentials.
Rapid7 warned that approximately 1.5 million cPanel instances remain accessible from the internet. The Shadowserver Foundation tracked 44,000 unique IP addresses conducting scanning and exploitation attempts against their honeypot sensors, with most compromised systems located in the United States, France, and the Netherlands.
https://x.com/Shadowserver/status/2050208472386396568
Iranian APT Masquerades as Chaos Ransomware
The Iran-linked APT group MuddyWater conducted an intrusion campaign disguised as a Chaos ransomware attack, Rapid7 reported. The operation in early 2026 used social engineering through Microsoft Teams to establish screen-sharing sessions with victim employees.
Attackers instructed users to enter credentials into locally created text files and deployed the AnyDesk remote management tool for persistent access. They performed typical espionage activities including reconnaissance, credential harvesting, and data theft, but never deployed actual file-encrypting ransomware.
The threat actors sent extortion emails claiming to have stolen information and directed victims to the Chaos ransomware leak site. However, the planted Chaos artifacts served as false flags to conceal the state-sponsored espionage operation behind apparent criminal ransomware activity.
Karakurt Ransomware Negotiator Gets 8.5 Years
Deniss Zolotarjovs, a 35-year-old Latvian member of the Karakurt ransomware gang, received an 8.5-year prison sentence for extortion activities, SecurityWeek reported. Zolotarjovs operated as a negotiator between June 2021 and March 2023, when Karakurt hit at least 53 entities and caused $56 million in losses.
Court documents showed Zolotarjovs analyzed stolen data and conducted ransom negotiations, receiving 10% of payments in cryptocurrency. In one case involving a pediatric healthcare company, he recommended publishing children’s patient data online to escalate pressure when the victim delayed payment.
Karakurt, also known as TommyLeaks and associated with the Conti group, targeted organizations across multiple industries to steal personally identifiable information including Social Security numbers and healthcare data.
RansomHouse Claims Trellix Cybersecurity Breach
The RansomHouse ransomware group claimed responsibility for attacking cybersecurity firm Trellix, according to SecurityWeek. Trellix confirmed that part of its source code repository was breached but stated no evidence suggested the breach affected code release or distribution processes.
RansomHouse published screenshots appearing to show access to Trellix’s internal services and management dashboards. The attack’s timing suggested potential connections to a supply chain campaign by TeamPCP and Lapsus$ groups that recently impacted Checkmarx, Aqua Security, and Bitwarden.
RansomHouse operates as a ransomware-as-a-service provider targeting large enterprises. Their Tor-based leak website currently lists over 170 victims, combining file encryption with data theft to increase ransom payment likelihood.
What This Means
These incidents highlight the evolving ransomware landscape where attackers increasingly target critical infrastructure and educational systems. The Canvas breach demonstrates how single-platform attacks can cascade across thousands of institutions, while the cPanel zero-day shows how quickly attackers exploit newly disclosed vulnerabilities at scale.
The MuddyWater campaign reveals sophisticated state actors using ransomware as cover for espionage operations, complicating attribution and response efforts. Meanwhile, successful prosecutions like the Karakurt case show law enforcement making progress against ransomware operators, though the 8.5-year sentence for $56 million in damages may not deter future attackers.
Organizations must prioritize rapid patching, especially for internet-facing management platforms like cPanel, and implement robust backup and incident response procedures to minimize disruption during attacks.
FAQ
How many schools were affected by the Canvas hack?
The ShinyHunters ransomware group claims over 8,800 schools were impacted, though the exact scope remains unclear. Major universities like Harvard, Columbia, and Rutgers confirmed disruptions to their Canvas services during the incident.
What makes the cPanel vulnerability so dangerous?
CVE-2026-41940 allows unauthenticated attackers to gain full administrative access to cPanel servers, compromising all hosted websites, databases, and configurations. With 1.5 million cPanel instances accessible online, the attack surface is massive.
How can organizations protect against these types of attacks?
Key protections include rapid security patching, employee security training to prevent social engineering, multi-factor authentication, network segmentation, and comprehensive backup strategies. Regular security assessments of internet-facing services are also critical.
Related news
- ShinyHunters lays claim to Canvas cyber attack as universities and schools around the world are hit hard – EdTech Innovation Hub – Google News – Tech Innovation
- Hackable Robot Lawn Mower Unlocks a New Nightmare – Wired
- cPanel, WHM Release Fixes for Three New Vulnerabilities — Patch Now – The Hacker News
Sources
- Iranian APT Intrusion Masquerades as Chaos Ransomware Attack – SecurityWeek
- Karakurt Ransomware Negotiator Sentenced to Prison – SecurityWeek
- Ransomware Group Takes Credit for Trellix Hack – SecurityWeek
- Over 40,000 Servers Compromised in Ongoing cPanel Exploitation – SecurityWeek
- The Canvas Hack Is a New Kind of Ransomware Debacle – Wired
